Monitoring failed attempt to modify a file.

Keeping track of failed attempts to modify files is important as it helps the administrator identify the user account from which the attempts were made. This makes it simpler for the organization to identify any threat to valuable information. The threat could emanate from a rogue insider or an external threat actor who has compromised an user account.

This information can be retrieved from Event viewer with the help of event ID 4656 or 4663. However ADAudit Plus offers a simpler solution. ADAudit Plus, an Active Directory auditing and reporting tool, has 200+ pre-packaged audit reports and the "failed attempt to write file" report is one of them. With a few clicks, you will have detailed reports on failed attempts to modify a file. Here is a comparison on finding details on failed access attempts on modifying files using AD tools and ADAudit Plus.

Download for FREE Free, fully functional 30-day trial
  • With Native AD Auditing

  • With ADAudit Plus

ADAudit Plus is real-time, web-based Windows Active Directory change reporting software that audits, tracks and reports on Windows (Active Directory, workstations logon/logoff, file servers and servers), NetApp filers and EMC servers to help meet the most-needed security, audit and compliance demands. Track authorized/unauthorized AD management changes, access of users, GPO, groups, computer and OU. Also, track all modifications, access and permissions changes with 200+ detailed event-specific reports and instant emails alerts. These reports can be exported to XLS, HTML, PDF and CSV formats to assist in interpretation and computer forensics.

ADAudit Plus lets administrators see all failed attempts at modifying a file and information on who attempted to modify, what machine they attempted to make changes from, when, and the reason for failure access.

  • Login to ADAudit Plus ➔ Go to the File Audit tab ➔ Under User Based Reports ➔ Navigate to any of the below mentioned reports.

    1. Failed attempt to read file

    2. Failed attempt to write file

    3. Failed attempt to delete file

  • Select the Domain.

  • Select Export As to export the report in any of the preferred formats (CSV, PDF, HTML, CSVDE and XLSX).

  • The details you get in this report are:

  • User Name of that account that tried to modify the file and failed.

  • IP address of the user.

  • The time when the access failure happened.

  • The computer or server in which the failure took place.

With native auditing, here is how you can track failed attempts to modify a file.

  • Step 1: Enable auditing for Object Access failure.
  • Logon to your domain controller with administrative privileges and launch the Group Policy Management console.

  • Right-click the appropriate Group Policy Object linked to the Domain Controllers container and select Edit.

  • Navigate to Computer Configuration -> Windows Settings -> Security Settings ->Local Policies -> Audit Policy.

  • Under Audit Policy, select 'Audit object access' and turn auditing on for both success and failure.

  • Step 2 – View events using Windows Event Viewer
  • After enabling auditing, you can use Event Viewer to see the logs and investigate events. Follow the below mentioned steps:

  • Open Event Viewer

  • Expand Windows Logs > Security

  • Create a custom view for Event ID 4656/4663. This ID indicates object access request.

  • Double click on the event. You can view detailed information about the activity such as account name, date and time of login failure.

Native auditing becoming a little too much?

Simplify File Server auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Related How-tos

Request Support


One of our solution experts will get in touch with you shortly.

    Please enter business email address
  • By clicking 'Send Request', you agree to processing of personal data according to the Privacy Policy.

© 2019 Zoho Corp. All rights reserved.